diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-08-21 12:04:12 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-08-26 18:52:28 +0200 |
commit | fbd8fb09c50bcee3f046dce2281f25baa4e14927 (patch) | |
tree | f70bedf2084f2ea3526e945430f9910922164445 /include | |
parent | 913979f882d13360cba11fd4402d193d74b0396a (diff) |
src: add chain hashtable cache
This significantly improves ruleset listing time with large rulesets
(~50k rules) with _lots_ of non-base chains.
# time nft list ruleset &> /dev/null
Before this patch:
real 0m11,172s
user 0m6,810s
sys 0m4,220s
After this patch:
real 0m4,747s
user 0m0,802s
sys 0m3,912s
This patch also removes list_bindings from netlink_ctx since there is no
need to keep a temporary list of chains anymore.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include')
-rw-r--r-- | include/cache.h | 14 | ||||
-rw-r--r-- | include/netlink.h | 1 | ||||
-rw-r--r-- | include/rule.h | 4 |
3 files changed, 17 insertions, 2 deletions
diff --git a/include/cache.h b/include/cache.h index b9db1a8f..baa2bb29 100644 --- a/include/cache.h +++ b/include/cache.h @@ -45,4 +45,18 @@ static inline uint32_t djb_hash(const char *key) return hash; } +#define NFT_CACHE_HSIZE 8192 + +struct netlink_ctx; +struct table; +struct chain; +struct handle; + +struct nftnl_chain_list *chain_cache_dump(struct netlink_ctx *ctx, int *err); +int chain_cache_init(struct netlink_ctx *ctx, struct table *table, + struct nftnl_chain_list *chain_cache); +void chain_cache_add(struct chain *chain, struct table *table); +struct chain *chain_cache_find(const struct table *table, + const struct handle *handle); + #endif /* _NFT_CACHE_H_ */ diff --git a/include/netlink.h b/include/netlink.h index ad2247e9..b78277a8 100644 --- a/include/netlink.h +++ b/include/netlink.h @@ -64,7 +64,6 @@ struct netlink_ctx { struct nft_ctx *nft; struct list_head *msgs; struct list_head list; - struct list_head list_bindings; struct set *set; const void *data; uint32_t seqnum; diff --git a/include/rule.h b/include/rule.h index f2f82cc0..62d25be2 100644 --- a/include/rule.h +++ b/include/rule.h @@ -8,6 +8,7 @@ #include <libnftnl/object.h> /* For NFTNL_CTTIMEOUT_ARRAY_MAX. */ #include <linux/netfilter/nf_tables.h> #include <string.h> +#include <cache.h> /** * struct handle_spec - handle ID @@ -153,6 +154,7 @@ struct table { struct handle handle; struct location location; struct scope scope; + struct list_head *chain_htable; struct list_head chains; struct list_head sets; struct list_head objs; @@ -217,6 +219,7 @@ struct hook_spec { */ struct chain { struct list_head list; + struct list_head hlist; struct handle handle; struct location location; unsigned int refcnt; @@ -242,7 +245,6 @@ extern const char *chain_hookname_lookup(const char *name); extern struct chain *chain_alloc(const char *name); extern struct chain *chain_get(struct chain *chain); extern void chain_free(struct chain *chain); -extern void chain_add_hash(struct chain *chain, struct table *table); extern struct chain *chain_lookup(const struct table *table, const struct handle *h); extern struct chain *chain_lookup_fuzzy(const struct handle *h, |